WORM_AGOBOT.AZ

WORM_AGOBOT.AZ is currently spreading in-the-wild. This non-destructive memory-resident worm exploits certain vulnerabilities to propagate across networks. Like earlier AGOBOT variants, this variant takes advantage of three Windows vulnerabilities, and also uses a long list of passwords to access and propagate into remote machines with weak passwords. This worm functions as a backdoor program and allows malicious users to access infected machines via IRC (Internet Relay Chat). It serves as a bot, waiting for commands from remote users. It also terminates certain Windows processes. WORM_AGOBOT.AZ runs on Windows 2000 and XP.

Upon execution, this worm drops a copy of itself in the Windows system folder as WINCOMM.EXE. To enable its automatic execution at every system startup, it creates two registry entries.

This worm takes advantage of the Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability present on Windows NT-based systems, which allows a remote user to gain full access and execute any code on a target machine, leaving it compromised. It looks for vulnerable machines on the network by scanning for random TCP/IP addresses on port 135. It further uses the RPC Locator vulnerability which affects Windows NT systems and searches for vulnerable Windows NT machines on the network by incrementally scanning TCP/IP addresses on port 445. This worm also exploits the IIS5/WEBDAV buffer overrun exploit affecting Windows NT platforms, which enables arbitrary codes to execute on the server.

The worm also searches remote machines on the same network for the following shares and attempts to drop a copy of itself into these shares:

admin$
c$
d$
e$
print$

It logs on using a long list of user names and passwords. Machines with weak passwords may be vulnerable to this attack.

This worm also functions as a backdoor program and allows a malicious user to access the machine via IRC (Internet Relay Chat). It serves as a bot, waiting for the following commands from the remote user to process locally:

If you would like to scan your computer for WORM_AGOBOT.AZ or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com

WORM_AGOBOT.AZ is detected and cleaned by Trend Micro pattern file #691 and above.